June 9, 2011

Google’s Chief Security Officer (yes, companies now have a CIO and a CSO), Eran Feigenbaum, stirred a debate recently when he questioned the obsession of the US (and other governments) about data sovereignty in outsourced environments. He is quoted as saying: “It is an old way of thinking. Professionals should worry about security and privacy of data, rather than where it is stored.”

What do you think? Should it matter *where* data is stored (or for that matter where the pipes carrying it happen to be)? Assuming a cloud provider meets what it promises in its SLA (availability, persistence, proper authentication/encryption, etc.), can you think of vulnerabilities that necessiates that data resides on “American Soil”?

The other interesting statement by Google’s CSO regards the need for encryption of data at rest (i.e., on disk as opposed to end-to-end through an application): “It is a false sense of security. Crypto people do a good job at cryptography, but a really bad job at key management.”

One vulnerability: foreign governments getting special access to the servers to spy on our companies (because companies are generally really really bad at actually securing their data). France is notorious for economic espionage to say nothing of Russia or China. While having the data on machines physically in the US does not eliminate this, it does reduce the threat, and at the very least it makes the perpetrators vulnerable to arrest and prosecution.

Also, in the US, we have the “national security” letters that basically let the FBI get access to whatever it wants, whenever it wants and the recipient of the letter is legally bound to never tell anyone that anything ever happened. Foreign entities may not be so comfortable with that arrangement.

Ideally, it should not matter. Realistically it does. Also, one question for the “it doesn’t matter!” crowd is how does one do or even enforce discovery of evidence in a trial when the evidence is “physically” located elsewhere? How would digital forensics fair?